Implications of poor design on security - an example

Google and how they do their technology

Things that make security hard.

This is not an exhaustive list of the implications of poor design on security. Covering that topic adequately would likely rival the size of War and Peace. This is a discussion of a tangible example to convey understanding of how technology selection directly correlates to an organizations’ ability to secure or secure their overall environment. In order to accommodate something poorly designed, larger than necessary holes through security may need to be carved. Please get your CISO and security architect to perform a risk assessment technology BEFORE procurement.

Recent security news alerts discussed again why advertisements must be blocked. Google’s own ad network has been used for hosting and serving malware to victims.

Google and their netblocks

Their guidance to you is to whitelist their entire network blocks which is beyond insane. Just like the insanity of whitelisting *.windows.net which is what is advocated by some SaaS providers who host their resources on Azure.

Azure hosted customer resources are on windows.net. That means that a hacker can dial up a hosted VM and that’s on a windows.net FQDN and IP space.

You cannot just whitelist all of Azure either.

https://ipinfo.io/AS15169

Beware that software companies will put out idiotic statements in their support documentation that tell IT professionals to “open ports [range of ports] to all IP addresses contained in the IP blocks listed in Googles ASN.

Let’s be clear. Those are IP addresses not just for Google’s company internal resources. That is customer hosted resources that they don’t control, manage, or secure the content. So the Google netblocks represent 73.5 million domains.

There is NO legal defensibility in creating a hole that massive through any security system. Yet this is likely what 99% of IT professionals are doing because they are not network security architects. Business decision-makers must understand that there is a lot of bad advice that comes out of even major companies as it relates to information security risk management. They put out insane statements such as whitelisting the IP space representing 73.5 million domains.

Even if you look up a separate Google ASN, it is still 18,933,082 domains. That is clearly a massive amount more than just the small amount of resources that you legitimately need to access for something like Google reCAPTCHA to work. But because of the way that Google has designed their infrastructure, your ability to have network security is hampered.

 

https://chronicler.tech/firewall-considerations-for-google-recaptcha/

 

Autoblocking and DNS latency.

One of the major problems with using anything on Google’s infrastructure is that their entire system was never designed for compatibility with selective controls.

It was not mail.google.com. It was google.com/mail.

It was not drive.google.com, it was really google.com/drive. The real infrastructure was hosted as a subdomain of Google.

And then so many web developers have made google analytics a mandatory component of how their website infrastructure works that you have to allow it. It just allows google to be a data vampire.

 

Microsoft in contrast

https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

 

There is a strong tendency to among IT support personnel to engage in over-troubleshooting. They follow software vendor’s recommendations and end up driving holes the size of North America through your security configuration. Please ensure that the personnel who are managing network security for your organization are actually qualified to do it.